Opened 6 months ago

Last modified 6 months ago

#34130 merge_ready defect

Tor won't start with seccomp sandbox when compiled with --enable-nss

Reported by: Jigsaw52 Owned by:
Priority: Medium Milestone: Tor: 0.4.3.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: nss sandbox seccomp 035-backport 041-backport-maybe 042-backport 043-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: nickm Sponsor:

Description

After compiling tor with the --enable-nss flag, starting tor with "Sandbox 1" on torrc results on the following error:

May 06 21:47:46.198 [notice] Tor 0.4.4.0-alpha-dev (git-42dfcd0ae3f7a872) running on Linux with Libevent 2.1.8-stable, NSS 3.35, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.3.
May 06 21:47:46.198 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
May 06 21:47:46.198 [notice] This version is not a stable Tor release. Expect more bugs than usual.
May 06 21:47:46.198 [notice] Read configuration file "/home/daniel/Desktop/torrc_sandbox".
May 06 21:47:46.200 [notice] Opening Socks listener on 127.0.0.1:9050
May 06 21:47:46.200 [notice] Opened Socks listener on 127.0.0.1:9050
May 06 21:47:46.000 [notice] Parsing GEOIP IPv4 file /usr/local/share/tor/geoip.
May 06 21:47:46.000 [notice] Parsing GEOIP IPv6 file /usr/local/share/tor/geoip6.
May 06 21:47:46.000 [warn] TLS error PR_NO_ACCESS_RIGHTS_ERROR while constructing a client TLS context: Access Denied
May 06 21:47:46.000 [err] Error creating TLS context for Tor client.
May 06 21:47:46.000 [err] Error initializing keys; exiting

Child Tickets

Change History (8)

comment:1 Changed 6 months ago by Jigsaw52

Status: newneeds_review

Added pull request that fixes this issue: https://github.com/torproject/tor/pull/1884

comment:2 Changed 6 months ago by nickm

Keywords: backport? added
Milestone: Tor: 0.4.4.x-final
Reviewer: nickm

The fix looks fine, but is this really a "bugfix on 0.4.4.0-alpha"? That is, is 0.4.4.0-alpha really the first version that has this bug, or is the bug older than that?

We try to keep track of which version introduced the bug, so we know how far back we might need to backport each fix.

comment:3 Changed 6 months ago by teor

Here's some instructions for finding the earliest commit with a particular string:
https://gitweb.torproject.org/tor.git/tree/doc/HACKING/CodingStandards.md#n113

comment:4 Changed 6 months ago by Jigsaw52

This bug exists since the --enable-nss flag was implemented in tor-0.3.5.1-alpha.
I've updated the changes file.

I can reproduce the problem on 0.3.5.1-alpha but this patch is not enough to fix it in that version, it crashes with a call to setsockopt. Some change in the sandbox rules for setsockopt or removal of code that called setsockopt must have happened between this version and the current master.

comment:5 in reply to:  4 ; Changed 6 months ago by teor

Replying to Jigsaw52:

This bug exists since the --enable-nss flag was implemented in tor-0.3.5.1-alpha.
I've updated the changes file.

I can reproduce the problem on 0.3.5.1-alpha but this patch is not enough to fix it in that version, it crashes with a call to setsockopt. Some change in the sandbox rules for setsockopt or removal of code that called setsockopt must have happened between this version and the current master.

Can you try 0.3.5.10 ?

We've fixed some general seccomp sandbox bugs recently, like #29819 in 0.3.5.10.

comment:6 in reply to:  5 Changed 6 months ago by Jigsaw52

Replying to teor:

Replying to Jigsaw52:

This bug exists since the --enable-nss flag was implemented in tor-0.3.5.1-alpha.
I've updated the changes file.

I can reproduce the problem on 0.3.5.1-alpha but this patch is not enough to fix it in that version, it crashes with a call to setsockopt. Some change in the sandbox rules for setsockopt or removal of code that called setsockopt must have happened between this version and the current master.

Can you try 0.3.5.10 ?

We've fixed some general seccomp sandbox bugs recently, like #29819 in 0.3.5.10.

I've tested it. The patch works on 0.3.5.10.

comment:7 Changed 6 months ago by teor

Keywords: 035-backport 041-backport-maybe 042-backport 043-backport added; backport? removed

Thanks! It looks like we need to backport to 0.3.5 and later.

I've marked this ticket with the relevant backport tags.

0.4.1 will be obsolete on 20 May 2020, so I'm not sure if we will backport or do a patch release for 0.4.1:
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases#Current

comment:8 Changed 6 months ago by nickm

Milestone: Tor: 0.4.4.x-finalTor: 0.4.3.x-final
Status: needs_reviewmerge_ready

I've made a branch against 0.3.5 that cherry-picks this patch, as bug34130_035. The PR for that is https://github.com/torproject/tor/pull/1887 .

I've merged it to master, and am marking for backport. Additional 0.4.1 releases are indeed unlikely. :)

Note: See TracTickets for help on using tickets.